Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - jfb1337

Pages: [1] 2
1
Also, I don't think CD3D would actually be possible since it gets written to when you select a pokemon, at which point there's no way to change it before the point it is read when you select one of the feild moves. I was originally thinking about super glitch corruption from the unused field move, but the game stores names of field moves separately so this one is just a properly terminated empty string.
2

I didn't see you "git grep "jp hl", though ? And I can't do it because lack of Linux etc.

Here:
Code: [Select]
pokered$ git grep "jp hl"
engine/menu/naming_screen.asm:  jp hl
home/text.asm:  jp hl
home/text.asm:  jp hl



3
Does HRAM manipulation also count as ACE? Or not because the only way to get it is by already having ACE in the first place?

Anyway, I decided to do a search for jp [hl] to find other potential ACE entry points (besides the ones that mess with the stack such as trade centre RCE, or exotic stuff like cartswap and HRAm manip, or potentially anything that messes with the ROM bank in an unexpected manor, or anything which pushes something to the stack and then rets to it, though I don't know if the game ever does this):

Code: [Select]
pokered$ git grep "jp \[hl\]"
engine/battle/animations.asm:   jp [hl] ; jump to special effect function
engine/battle/animations.asm:   jp [hl]
engine/battle/animations.asm:   jp [hl]
engine/battle/animations.asm:   jp [hl]
engine/battle/battle_transitions.asm:   jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl]
engine/battle/core.asm: jp [hl] ; jump to special effect handler
engine/battle/trainer_ai.asm:   jp [hl]       ; execute modification function
engine/battle/trainer_ai.asm:   jp [hl]
engine/cable_club.asm:  jp [hl]
engine/items/items.asm: jp [hl]
engine/menu/start_sub_menus.asm:        jp [hl]
engine/menu/text_box.asm:       jp [hl] ; jump to the function
engine/overworld/player_state.asm:      jp [hl]
engine/overworld/ssanne.asm:    jp [hl]
engine/palettes.asm:    jp [hl]
engine/slot_machine.asm:        jp [hl]
engine/trade.asm:       jp [hl] ; call trade func, which will return to the top of the loop
home.asm:       jp [hl]
home.asm:       jp [hl]
home.asm:       jp [hl]
home/overworld.asm:     jp [hl] ; jump to script
home/predef.asm:        jp [hl]

OK so that's 24 possibilities (for R/B at least, haven't checked Y):

- The 4 in animations.asm look like they're either non-manipulable, or fall under Glitch Move ACE (via animation pointers)

- The 1 in battle_transitions.asm is non-manipulable (only influenced by bc which is set to 0, then only set by a few functions that never set bc to something invalid)

- The 3 in core.asm are either non manipulable or fall under Glitch Move ACE (via move effects)

- The 1 in trainer_ai.asm is the ZZAZZ trainer ACE (are there other glitch trainers that trigger ACE too?)

- The 1 in cable_club.asm is seemed interesting, but it turns out that the address it reads from to determine the jump, CC38 aka wTradeCenterPointerTableIndex, is set right before every time the function that contains the jump is called, so it's unmanipulable.

- The 1 in items.asm is Glitch Item ACE, the 8F that we all know and love

- The 1 in start_submenus.asm is for out of battle moves, which seemed interesting since there is an unused field move $B4, but it would just act like surf since in its place is an extra pointer to the surf function. But maybe $cd3d AKA wFieldMoves could be manipulated somehow? Though this is very unlikely.

- The 1 in text_box.asm doesn't seem manipulable since it searches through a table that is properly terminated by $FF

- The 1 in player_state.asm looks interesting: It's determined by wSpriteStateData1 + 9, aka $C109, the player's current direction. Could that be potentially manipulated somehow?

- The 1 in ssanne.asm is ALSO based on wSpriteStateData1 + 9

- The 1 is palletes.asm is about SGB pallete commands. But it seems like every time RunPaletteCommand is called, b is set to a valid palette command already, so there doesn't seem to be room for manipulation.

- The 1 in slot_machine.asm is for a pointer to a reward function that's based on the symbol on the wheel that matched. Unfortunately that doesn't seem possible to manipulate.

- The 1 in trade.asm is non manipulable, as the pointer it uses is only ever set to a valid trade animation function which just follows a fixed sequence defined entirely in ROM.

- The 3 in home.asm are in Bankswitch, CallFunctionInTable, and CheckForHiddenObjectOrBookshelfOrCardKeyDoor.
--The latter is non manipulable since it searches for a pointer in a well-terminated array so it only loads valid hidden object pointers.
--Bankswitch is also non manipulable since it always sets hl properly before being called.
--CallFunctionInTable is only used in scripts (which would fall under the map script ACE methods) and a couple of places in home.asm, one also to do with map scripts, and the other for NPC movement scripts, which after a quick glance over where the addresses involved are used, they seem to all be only set to constant values, unless $CC57 or $CF10 could be manipulated somehow.

- The 1 in overworld.asm is the map script, which covers 3 types of map pointer ACEs.

- Finally, the one in Predef.asm is for Predef pointers. Probably not manipulable since a predef ID is always set before calling Predef.

I was surprised that TextCommandProcessor doesn't show up, but I discovered that actually uses "jp hl" instead of "jp [hl]" like I was searching for.

There are 2 other instances of "jp hl": One also in text.asm to a non manipulable function table, since it's only used when a < 0xE [even if this were manipulable, it wouldn't be very useful since it's part of the text command processor which you can already use 08 to turn into ACE anyway]. The other is in naming_screen.asm, on a non-manipulable table for button input.

Anyway, the next interesting thing to search for is TextCommandProcessor itself:

Code: [Select]
pokered$ git grep TextCommandProcessor
engine/cable_club.asm:  call TextCommandProcessor
engine/menu/pokedex.asm:        call TextCommandProcessor ; print pokedex description text
home.asm:       call TextCommandProcessor
home.asm:       jp TextCommandProcessor
home/text.asm:  call TextCommandProcessor
home/text.asm:TextCommandProcessor::
home/text.asm:  call TextCommandProcessor
The calls in text.asm are the handlers for TX_FAR, and Char55, which points to a fixed text in ROM.
The call in cable_club.asm is also a fixed text string.
The call in pokedex.asm is this ACE method!
The calls in home.asm are part of PrintText, which gives us something else to search for, and TrainerEndBattletext. Could we possibly manipulate the win/lose text pointers at d08c from within battle?

At this point I searched for PrintText... and there are TONS of results., too many to list here and more than I'm willing to check at the moment. They probably fall into the category of glitch text box ACE though.

But if anyone wants to add a 13th method to the list, PrintText is a good place to start.

Also, note that ACE doesn't necessarily need to point to RAM - Maybe there's something which points somewhere in ROM that's in the middle of a function that messes with the push/pop balance, causing the game to jump again to somewhere else when it hits a ret? A bit like how Coin Case ACE works.

Also, research into what unlocks SRAM would be nice, since sometimes when I hit an rst 38 I lose my save, and sometimes I don't, with no pattern I can see, so it would be nice to know what unlocks SRAM so I could take precautions.
4
Here is a script that should work for an arbitrary encounter level:

Repel x[Species index]  ; ld e, [species index]
Awakening x[Level]      ; ld c, [level]
X speed x64                 ; ld b, e / ld b, b
TM05 x72         
Lemonade x201           ; call 3E38 / ret

Replacing the lemonade x201 with a lemonade x4 followed by a TM01 x[any] would also work. (x4 corresponds to inc b which basically does nothing at this point). But the lemonade is important.
5
If this is your first time using ACE, I'd recommend first try out some of the small scripts in the main thread, such as getting any item or any pokémon, and try to understand how they work. The dissasembly might help with understanding too.

Then you could start trying to make your own scripts, whenever you think of something that might be useful, using the Big Hex List and ISSOtm's compiler to help.

If you're unsure of anything, try it in an emulator first - especially for things that might have a chance to crash and corrupt the save file and/or things that take a long time to set up.

If your main goal is cartswapping, you can try a basic cartswap script at this point, that would soft reset into the swapped cart without any additional custom code.

Once you feel you have enough experience with ACE, you can start something more ambitious, like Offgao's memory editor, which I  programmed into my game using a slightly modified version of ZZAZZ's route 1 bike method - It's a GUI memory editor.

Then, it should be possible to write a program that allows a cartswap into another game, then copy the memory editor + any other set up you want (like putting an 8F in the bag, bootstrap in your party, etc) into the save file before jumping into the initialisation routine. 

In theory it should be possible to patch up the initialisation script, like ZZAZZ for super mario, and skip over the part that clears HRAM, allowing custom code to be injected into the title screen, which would also give you control over starting a new save file as well as just continuing - which would allow you to do the stuff you want such as having access to 8F and the GUI memeditor from the start.
6
The required 8F bootstrap would be jp $DA80, which is H# (glitch item $C3) x128 / TM18 x any.
Or if you don't like the glitch item, it could be replaced with either TM18 or TM10, for jp c, xxxx or jp nc, xxxx respectively, one of those should work but I'm not sure which. It might be a good idea to make the any quantity x201 or put a TM01 afterwards, so if the wrong one is used then nothing happens (instead of a crash).

As for the nicknames, was there ever previous data on the cart in that box? If so then it might be left over from that, but I'm not sure.

Do the nicknames even matter? It looks like the code isn't long enough to reach them, so would it be safe for me to overwrite them with properly terminated nicknames? And would this make it safe to view the stat pages, to allow for easy comparison between console and emulator?

For Cryo's version, do the 7 pokemon in the box matter? It seems like only the ones that encode the jp instruction should do.

Also, it seems possible to avoid having to write out the tiles elsewhere in memory by replacing the GetChar function with
Code: [Select]
GetChar:
and a, $0F
add a, $F6 ; '0'
jr nc , .digit
add a, $60 ; 'A'
.digit
ld (hl+), a
ret
which 2 bytes shorter than it is in Cryo's version (don't know about Torchicken's version), and saves 16 bytes of tile IDs.

Edit: I tried this with Torchicken's version on BGB and it worked. (I also had my nicknames be blank spaces instead of 9s both when using box 1 on BGB and box 12 on VC. Don't know why)

Edit2: I think I figured out the nickname thing: From a fresh cart, SRAM will be initialised with (mostly?) 00. However, the ClearSAV function fills SRAM with FF, which corresponds to the 9 character. So if you've ever cleared the save file with the button combo that clears it, your uninitialised nicknames are all 9, otherwise they're blank spaces.
7
In some instructions for pomeg corruption I see that a specific 4th move is required. What does this 4th move do, and why does it differ between regions?
8
Yes but once you have ACE then what the game does shouldn't be a limiting factor, should it? You could just enter your own loop of checking whether GB carts are inserted and reading from them if there are new ones, without returning to the game's code. Unless it runs in a separate thread that the OS won't let us kill, which is unlikely.

And yes, for TAS then reading from the controllers is the easiest way to go, but if as non TAS-ing human you want to use a large payload more than once for some reason then it would be easier to store it, especially if you have access to one of those things that allows you to read/write the save file of a GB cart from a PC, then you wouldn't have to manually enter the payload at all.
9
The github says the maximum payload would be just under 128kb via 4 GB saves. But wouldn't it be possible to write a program that allows the user to keep removing GB carts to plug in new ones, and loading all the data off those? That way you could have an arbitrary large payload - limited only by the N64's RAM size.
10
I was trying to build an 8F script on VC Blue, and accidentally created a glitch item (think it was 0x86). Without really thinking, I clicked on it, and my game crashed into a stripey screen. But when I restarted, the save file was gone - it didn't give any error message or anything, the continue option was just removed from the menu. As far as I'm aware, this can only happen when the player name gets corrupted in SRAM with no terminator. What happened here? Is there any point where the game opens SRAM without closing it? Or did the glitch item open SRAM by itself? This has happened to me before when I used 8F without the correct setup and must have hit an rst 38, but I've also done that before without my save file deleting.
11
Ah, thanks, I was wondering what the .sym files were for, for some reason it didn't occur to me to look inside them!

Edit: And here is said script:
Code: [Select]
Carbos x90
Master Ball x14
Poké Ball x84
Repel x128
Carbos x24
X Accuracy x134
TM29 x0
Carbos x144
X Accuracy x0
TM01x[Any qty]

Code: [Select]
ld h, $5A
ld bc, $040E ; b = BANK(FontGraphics), c = 14 = how many tiles to copy
ld d, h
ld e, $80 ; de = FontGraphics
ld h, $18
ld l, $86
push hl ; hl = CopyVideoDataDouble
nop
ld h, $90
ld l, $0 ; hl = the tiles in VRAM that come after the digits
ret ; jumps to CopyVideoDataDouble (done this way to avoid glitch items and key items that would result from directly using call or jp)

This turns the tiles beyond the numbers that glitch quantities read from into the letters A through P, so it's easier to see how many items you have / are tossing. (There will also be a bunch of letters all over the background).

The effect goes away when entering/leaving a building, entering/leaving a battle, resetting the game, or closing the PC item menu, and maybe a few other things.

Tested with English blue on BGB.
12
The ld a, [hld] / ld [hli], a part is what copies the quantity of the item to its index, allowing access to any item index; your script just sets the quantity to 0. But since both are useful behaviours, then I swap the water stones (ld a [hli]) with HP ups (inc hl) if I want to reset the item quantity without setting the index too.

Another question: Is there an easy way to find the memory locations and ROM banks that corresponds to a particular label in the disassembly? I had an idea for a script to make tossing items a bit less tedious by copying the graphics for digits or letters over the place where the game reads tiles for glitch quantities from, so it would be easier to see at a glance how many items you have / are tossing, but I'd need the locations for CopyVideoData and FontGraphics
13
Thanks! I obtained an 8F on VC blue and got the setup working yesterday, just using normal encounters, in about 3.5 hours.

I made a simple script to easily obtain any item, which s very useful for building other scripts:

Code: [Select]
ldd a, (hl)
ldd a, (hl)
ldi (hl), a
inc b ; filler
ld (hl), 1
dec (hl)
inc b ; filler
ret
which compiles to
Code: [Select]
Dire Hit x58
Water Stone x4
Max revive x1
Revive x4
TM01 x[Any qty]
This sets the index of the 2nd item to its quantity (make sure 8F is the first irem obviously), and it's quantity to 0 for easy tossing to any desired quantity.

This requires only items that can be bought from Celedon dept store, with no missingno duping.

Then, you can use it once to get a Max revive x0 stack, so you can get rid of the revive to compact the script slightly.
14
MrCheeze's virus patches the first two bytes with jp 78, and at the location it jumps to it then calls the custom code and jumps back to the rest of the OAM script. The custom code sets the a register correctly.

Anyway, this is really cool! I want to add Marill and call it Pikablu to troll my friends
15
What would be the fastest/easiest way to get a working 8F setup starting from a brand new save file?

I'm guessing it would start out like the standard speedrun route (Brock thru walls to Saffron, encounter missingno via Trainer Fly with Abra, then item underflow) but then use the undereflow to obtain 8F instead... Then what would be the optimal way to get all the pokémon required for the bootstrap? Regular encounters, or trainer fly?
Pages: [1] 2